Jon, we use NAT to control access into an environment.

So the user accessing the server 172.27.234.77, from his workstation 192.60.251.42, gets natted from 192.60.251.42 to 172.224.120.120.  What the user wants to do is run some applications on his desktop, but we wants to originate the traffic from the server to his workstaion.  The issue is, if he does that, then he gets natted as he goes through the router with the static NAT, but any traffic he would originate from the server would get natted again on the retun path.

I hope I am explaining correctly.

So the user wants to originat traffic Outside to Inside, after he has logged into the serve using the normal Inside to Outside static NAT.

Is there a way to have him originate the raffic in the other direction, in what I am thinking, but may not be correct, as a reverse NAT?

I uploaded a new config that has more IP's.   Thanks   

Alan

Sorry, I am obviously being a bit dense but I still can't work it out which is why I asked for IPs and directions. I get this part -

client 192.60.251.42 is translated with a static to 172.224.120.120 when he goes through the router to the server which has an IP of 172.27.234.77.

I also understand that the user wants to run some apps on his desktop so in effect the client is the server and the server is the client for those apps.

What do you want to happen when a connection is made from the server to the app on the client ie.

source IP, destination IP before getting to the router and then -

source IP, destination IP after going through the router to the client

It really helps if you just list what you want done with the IPs.

And also the apps on the desktop, what are these ie do you know the port number for these apps.

Apologies for not getting this at the moment :-)

Jon

Jon, what I beleve needs to happen, is the reverse of the NAT when traffic comes into the server environment.  There is only one path in and out, so user traffic has to pass through the router and get NAT'd, but that is only one way traffic.  It needs to be both ways.

So traffic was NAT'd from 192.60.251.42 to 172.27.224.120 inside to outside.  The user is on the server and wants to run some performace metric software on his PC, the traffic needs to be NAT'd the other direction, 172.27.224.120 to 192.60.251.42.  The port is 6901.

I guess I should also say there is a firewall in between the router and the server environment.  All the FW does is take the NAT'd address from the router and route it to the correct interface to access the server VLAN.  It is not doing any translation.  So the server sends traffic to the NAT'd address on the FW, and it passes the traffic to the router, but the router wont recogonize the traffic becasue of the one way NAT setup.  It would need to reverse NAT'd back to the originating IP on the desktop.  Thats what I believe should happen.  I just dont have a handle on how to make it happen.

Hope that helps?  Thanks

Alan

A static NAT translation is two way ie. both inside to outside and outside to inside.

So if all you want to do is from the server be able to connect to 172.27.224.120 and that gets translated to the PC's IP this should happen automatically with the static NAT you already have setup on the router.

I thought you wanted to use different IPs which is why I kept asking for all the IP information.

If it isn't working then the only thing I can think of is the firewall to be honest because the router should simply do the translation as requested ie.

if the PC connects to the server using RDP for example then the source port is random and the destination port is 3389 and the PC's IP is translated to 172.27.224.120.

So now he is on the server.

If he then from the server makes a connection to 172.27.224.120 for the app running on his PC then the source port is random and the destination port is 6901.

As far as I know the NAT translations should not conflict with each other at all as far as the router is concerned.

Because it is a static one to one mapping the ports should not be changed either and if you have an app using port 6901 on the PC  then the PC couldn't possibly use the same port as a random source port for the RDP connection or any other connection.

It's late where I am and you just caught me before logging off but I would look at  -

1) the firewall

and

2) the NAT translation table on the router ie.

get the user to make a connection from the server to the app and see if there is a translation in the table eg. "sh ip nat translations ..."

I'll have a good look through your configuration tomorrow to  make sure there is nothing that could be interfering with the NAT but I think it should work as is (firewall aside).

Jon